U.S. Accuses Russian Email Spammer of Vast Network of Fraud

Image

President Trump boarded Air Force One on Sunday. The Justice Department’s accusations against a Russian email spammer are sure to raise tensions when Secretary of State Rex W. Tillerson visits Moscow this week.CreditCreditDoug Mills/The New York Times

Several years ago, federal agents traveled to Moscow to enlist the help of their Russian counterparts in arresting one of the world’s most pernicious email spammers. They were rebuffed, a former American law enforcement official who was there said. The spammer, who used the pseudonym Peter Severa, was protected, probably by the Russian government, and could not be touched.

The agents went home and waited for their target to make a mistake.

Last week he did, traveling for vacation to Barcelona, Spain, where the agents who had been following him for years were ready. Early last Friday, Spanish police burst into the hotel room where the spammer was staying with his family and arrested him. Simultaneously, cybersecurity operatives from the Federal Bureau of Investigation and several private companies took down his online network of tens of thousands of virus-infected computers.

On Monday, the Department of Justice unsealed court papers accusing the spammer, whose real name is Peter Levashov, of wire fraud and unauthorized interception of electronic communications. Mr. Levashov, 36, is expected to be extradited to the United States.

Officials said Mr. Levashov’s arrest and the takedown of his network ended a vast criminal enterprise. For more than a decade, Mr. Levashov used his online empire to enrich himself and help others drain bank accounts and commit stock fraud, officials said. He has flooded computers with millions of spam email messages advertising counterfeit pharmaceuticals and remedies for erectile dysfunction, using subject lines like “No amorous failure risk.”

But as the Trump administration’s early hopes of a rapprochement with the Kremlin have given way to increasing rancor, Mr. Levashov’s arrest is certain to heighten tensions. In the past, the Kremlin deplored such arrests as tantamount to kidnapping. An advisory on the website of the Foreign Ministry accused the United States of “hunting Russians around the world,” and urged citizens to take precautions. Mr. Levashov was captured three months after the arrest of Stanislav Lisov, a Russian hacking suspect, also in Barcelona.

The arrests are likely to increase discord when Secretary of State Rex W. Tillerson visits Moscow this week.

Government agents and cybersecurity analysts have followed Mr. Levashov since at least 2006. In that time, he has made a fortune clogging inboxes with spam using a network of computers infected with a malware known as Kelihos.

The cost of a spam campaign ranged from $200 to $500 per one million email messages, though he offered discounts of more than 50 percent for bulk orders. Mr. Levashov charged more to target American computers, an indication that these were a higher priority, court documents said.

Mr. Levashov was also known to rent his huge network of virus-infected computers to online criminals who would use it to tap bank accounts and distribute ransomware, viruses that encrypt data in an infected computer or smartphone.

At times, cybersecurity specialists said, Mr. Levashov had control of more than 100,000 computers. He has already been indicted twice in the United States on wire and computer fraud charges.

“He was a kingpin in the criminal underground,” said Brett Stone-Gross, a cybersecurity analyst who has tracked Mr. Levashov for years.

Despite his sprawling criminal enterprise, Mr. Levashov appears to have lived openly and lavishly in St. Petersburg, his hometown. He had a large home and bodyguards and traveled around town in an armored sedan, according to someone with knowledge of the investigation into his activities, who asked to remain anonymous because the information is confidential. His wife was said to be a high-end wedding planner sought by St. Petersburg’s elite.

Though he engaged primarily in criminal exploits, Mr. Levashov appears to have occasionally dabbled in politics, suggesting collusion with the Russian government.

During Russia’s 2012 presidential election, his computer network was used to spread fake news stories about one of Vladimir V. Putin’s opponents, the billionaire businessman and Brooklyn Nets owner, Mikhail D. Prokhorov, saying he had come out as gay.

Text overlaid on a picture of Mr. Prokhorov said, “Everybody who knows me knows I am a,” followed by an anti-gay slur.

Some have speculated that Mr. Levashov also helped carry out a huge assault on Estonian government and banking computers in 2007 that is considered one of the first examples of cyberwarfare. The attack is widely believed to have been retaliation by Russia after Estonian authorities removed a World War II memorial to Soviet soldiers from its pedestal in the center of the capital, Tallinn.

Cooperation between Russian government agencies and cybercriminals is not uncommon. Russian hackers have access to the contents of millions of infected computers around the world, and there is evidence that Russian intelligence agencies piggyback on their criminal operations as a form of cheap intelligence gathering.

Last month, the Justice Department indicted two Russian intelligence agents, accusing them of working with a suspect in criminal hacking to breach Yahoo and steal account information from hundreds of millions of users.

Current and former F.B.I. agents said they have rarely, if ever, received help from Russia to arrest cybercrime suspects. More often than not, they said, the hacker is recruited to work for the government.

Sending spam is not illegal in Russia, and cybercriminals usually avoid directing more harmful attacks against computers on Russian territory.

When arrests do occur, it is because the suspect enters a country that has a collaborative law enforcement relationship with the United States.

It is not clear why Mr. Levashov would risk traveling abroad. Cybersecurity researchers had long ago guessed his true identity, and in recent years American law enforcement has stepped up arrests of criminal suspects from Russia. The Russian foreign ministry estimates that as many as three dozen Russian citizens have been arrested under similar circumstances at the behest of American authorities.

In late March, the F.B.I. received information that Mr. Levashov had left his home in St. Petersburg and traveled to Spain. American officials would not comment on how they learned of his travel plans or say whether the Russian government had cooperated.

To shut down the criminal network, specialists at the F.B.I.’s field office in Anchorage and two cybersecurity companies, CrowdStrike and Shadowserver, took advantage of a flaw in the Kelihos malware to gain access to computers controlled by Mr. Levashov and reroute them to an F.B.I. controlled server called a sinkhole.

During the operation, the F.B.I. for the first time used powers granted under amendments to what is known as Rule 41 of the Federal Rules of Criminal Procedure, which give broad authorization to hack into virus-infected computers. Officials said that this was done to wrest control of the computers from Mr. Levashov and that no hard drives were searched.

Mr. Levashov will remain imprisoned in Spain while American officials negotiate his extradition.

Vindu Goel and Andrew E. Kramer contributed reporting.

Vindu Goel contributed reporting from San Francisco, and Andrew E. Kramer from Moscow.